An unescaped payload in exceljs <v1.6 allows a possible XSS via cell value when worksheet is displayed in browser.
CWE-79
CVE-2018-16468
In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
CVE-2018-16471
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to ‘http’ or ‘https’ and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.
CVE-2018-16474
A stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary javascript.
CVE-2018-16480
A XSS vulnerability was found in module public <0.1.4 that allows malicious Javascript code to run in the browser, due to the absence of sanitization of the file/folder names before rendering.
CVE-2018-16481
A XSS vulnerability was found in html-page <=2.1.1 that allows malicious Javascript code to be executed in the user's browser due to the absence of sanitization of the paths before rendering.
